Is the era of the e-mail worm officially over?
No, not entirely. Floppy, boot-sector viruses are essentially gone and the e-mail-only worm is gone. But it has morphed now into the blended threat. You look at many of the most recent worms -- Klez, Magistr, Bugbear -- all of them attacked multiple avenues like open network shares, e-mail, IM [instant messaging]. Propagation is high unless enterprises protect all those vectors. That's the challenge, especially with having a lot of mobile workers and business partners with network access. Where does the perimeter end these days? What's the biggest threat to an enterprise? The malicious code writer, cumbersome software patches or the bogged down administrator?
It's a combination of all really. The volume of updates an administrator faces is potentially in the hundreds. How do they know which are more important to address? Traditionally, it's been done on a risk-rating system. Match the vulnerability to your assets. Track the risk of an attack. If it can be leveraged against your assets, then it's a liability that needs to be addressed.
Then they have to deal with the stability of fixes and patches. Many administrators would rather wait for a service pack than apply a hotfix to a system or application. It's a safer route. But the question is, do they have enough time to wait for a service pack? That notion that they may have a year or two to get a patch up and running is no longer the case. The
They prey on new technologies, like wireless, like PDAs. They learn from past mistakes and yes, enterprises play catch-up in these areas. Virus writers often use existing exploit technology and continue to exploit what others have had success with. Antivirus technology, meanwhile, is mostly signature-based. But there is behavior-blocking technology and we've had a lot of success against worms using heuristics.
We've seen the motivation factor change for virus and worm writers. Virus and worm writers and
hackers used to be two different skill sets. That's no longer the case. They're often using the
same skills and using worms, for example, as early reconnaissance for a later attack. If there was
one issue or concern that enterprises express over and over, what would you say it is?
For enterprises, it's definitely information overload and manageability. 'They're saying, I'm getting so much information from my IDS and other network logs, I don't know how to manage it.' You cannot silo security. It's not just antivirus, or it's not just intrusion detection or firewalls. I think you'll soon see a trend of consolidation of [firewalls, antivirus, intrusion detection and intrusion prevention] into a single appliance. How many enterprises are actually aware of, or are using, behavior-based defenses?
With technologies like behavior-based antivirus or intrusion prevention systems, it's often an either-or thought. The answer is, however, that it's a combination of characteristics of both that works best. A behavior-based system that can tell an administrator that it has detected an anomaly, and by the way, it has also run a signature against it -- that's the best way to go. Enterprises need the same thing for policies. That kind of flies in the face of the best-of-breed security world.
Enterprises should have the best technology and services. Many companies right now have multiple vendor technologies in their environments. They need to know how to understand it all and make the right decisions. They need the right management system to tie things together. Our researchers said that any given company can have up to 9.5 million security events, and of those, 600 are probably actual attacks and 22 of those, serious breaches of their environment. It's not a needle in a haystack anymore. It's a needle in a pile of needles you find in the haystack.
FOR MORE INFORMATION:
- FEEDBACK: How much of your work week is spent analyzing security log data?
Send your feedback to the SearchSecurity.com news team.